Skip to content

samply/secret-sync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

.github

.github

 
 

central

central

 
 

dev

dev

 
 

local

local

 
 

shared

shared

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Cargo.toml

Cargo.toml

 
 

Dockerfile.central

Dockerfile.central

 
 

Dockerfile.local

Dockerfile.local

 
 

Readme.md

Readme.md

 
 

deny.toml

deny.toml

 
 

Repository files navigation

Bridgehead Secret Sync

Usage

Local

This component generates a bash sourceable cache file from some secret definitions by communicating with the central part of this component via beam.

This enables secure generation and validation of secret tokens like Open ID Connect secrets.

Example

services:
  local:
    image: samply/secret-sync-local:latest
    environment:
      # See below for the format specification
      - SECRET_DEFINITIONS=${ARGS}
      # The beam app id of the central half of this component
      - OIDC_PROVIDER=${OIDC_PROVIDER_APP_ID}
      # Required args for the beam proxy for more options look at the beam Readme
      - PROXY_ID=proxy1.broker
      - BROKER_URL=${BROKER_URL}
    volumes:
      # Path can be configuard via CACHE_PATH this container path is the default
      - ${CACHE_PATH}:/usr/local/cache
    # Used for the embedded beam proxy
    secrets:
      - privkey.pem
      - root.crt.pem

Secret Definitions

SECRET_DEFINITIONS should be \x1E (Ascii record separator) delimited list of secret definitions. A secret definition is a : separated 3-tuple. The first value is the secret type which defines how the secret is generated. The second argument is the secrets name which will be the name written to the secrets cache file. The third value is the data used to generate the secret which depends on the secret type used.

Central

Example

services:
  central:
    image: samply/secret-sync-central:latest
    environment:
      # Url of the local beam proxy
      - BEAM_URL=http://proxy:8082
      # App id of this beam app
      - BEAM_ID=secret-sync.central.broker
      - BEAM_SECRET=${BEAM_SECRET_FOR_THIS_APP}

      # Optional keycloak parameters
      - KEYCLOAK_URL=http://keycloak:8080
      # Client id of the keycloak client which has to have permissions to create clients
      - KEYCLOAK_ID=my_keycloak_admin
      # The client secret for the client
      - KEYCLOAK_SECRET=my_secret
      # Extra service account roles for the private client
      - KEYCLOAK_SERVICE_ACCOUNT_ROLES=query-users,query-groups

Secret types

OIDC

Register an Open ID Connect client at the central half of this component.

Secret type: OIDC
Each argument is separated by a semicolon. The arguments are:

  • The type of OIDC client which gets created. Either public or private
  • A comma separated list of urls permitted for redirection

Example: OIDC:MY_OIDC_CLIENT_SECRET:public;https://foo.com,https://bar.com

About

Sync bridgehead secrets via beam

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages 2

 
 

Languages